After installing or upgrading to vSphere 8.0 Update 3, you can configure vCenter Server Identity Provider Federation for PingFederate as an external identity provider.

High-Level Steps to Configure vCenter Server Identity Provider for PingFederate

Configuring vCenter Server for PingFederate involves the following high-level steps:

  1. On PingFederate, creating the vCenter Server/VMware Identity Services specific configuration, including the scopes and common configuration for PingFederate workflows.
  2. On PingFederate, creating global items, including the Password Grant Flow configuration and Authorization Code Flow configuration.
  3. On PingFederate, installing the SCIM Provisioner.
  4. On vCenter Server, creating the PingFederate identity provider.
  5. On PingFederate, creating the SCIM Application (SP Connection).
  6. On vCenter Server, authorizing PingFederate users.
Note: The instructions in this documentation create a typical setup for your PingFederate server. Your environment might differ, and thus you might make different selections.

Prerequisites to Configure vCenter Server Identity Provider for PingFederate

PingFederate requirements:

  • You have installed an on-premises PingFederate server.
  • From the vCenter Server on which you configure the PingFederate identity provider, you must obtain the trusted root certificates and import them into the PingFederate server.
  • Optionally, you might need to import the PingFederate SSL certificate, or certificate chain, to the vCenter Server, if that certificate is self-signed (that is, not issued by a well-known, public Certificate Authority). If the PingFederate SSL certificate or one of the certificates in the chain was issued by a well-known Certificate Authority, vCenter Server automatically trusts that certificate, and you do not need to import it. If you are using one or more intermediate signing authorities for your PingFederate server SSL certificate, include the entire chain of certificates.

    To export the PingFederate SSL certificate, in the PingFederate Admin Console, go to Security > SSL Server Certificates, select the default certificate, and select Export from the Select Action drop-down.

    You import the PingFederate SSL certificate using the vSphere Client in the OpenID Connect panel as part of the configure identity provider workflow.

  • To perform OIDC logins and manage user and group permissions, you must create the following PingFederate applications.
    • A PingFederate native application with OpenID Connect as the sign-on method. The native application must include the grant types of authorization code, refresh token, and resource owner password.
    • A System for Cross-domain Identity Management (SCIM) 2.0 application (in PingFederate, this is called the SP Connection), with an OAuth 2.0 Bearer Token to perform user and group synchronization between the PingFederate server and the vCenter Server.
  • You have identified the PingFederate users and groups that you want to share with vCenter Server. This sharing is a SCIM operation (not an OIDC operation).

PingFederate connectivity requirements:

  • vCenter Server must be able to connect to the PingFederate discovery endpoint, and the authorization, token, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
  • PingFederate must also be able to connect with vCenter Server to send user and group data for the SCIM provisioning.

vCenter Server requirements:

  • vSphere 8.0 Update 3
  • On the vCenter Server where you want to create the PingFederate identity source, verify that the VMware Identity Services are activated.
    Note: When you install or upgrade to vSphere 8.0 Update 1 or later, VMware Identity Servers are activated by default. You can use the vCenter Server Management Interface to confirm the status of the VMware Identity Services. See Stop and Start the VMware Identity Services.

vSphere privileges requirements:

  • You must have the VcIdentityProviders.Manage privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the VcIdentityProviders.Read privilege.

Enhanced Linked Mode requirements:

  • You can configure vCenter Server Identity Provider Federation for PingFederate in an Enhanced Linked Mode configuration. When you configure PingFederate in an Enhanced Link Mode configuration, you configure the PingFederate identity provider to use VMware Identity Services on a single vCenter Server system. For example, if your Enhanced Mode Link configuration consists of two vCenter Server systems, only one vCenter Server and its instance of VMware Identity Services is used to communicate with the PingFederate server. If this vCenter Server system becomes unavailable, you can configure VMware Identity Services on other vCenter Server in the ELM configuration to interact with your PingFederate server. For more information, see Activation Process for External Identity Providers in Enhanced Linked Mode Configurations.
  • When configuring PingFederate as an external identity provider, all the vCenter Server systems in an Enhanced Linked Mode configuration must run at least vSphere 8.0 Update 3.